Joined: Sep. 2005
||Posted: June 29 2007,13:11
EDIT: Thought I'd preface this with a brief explanation since not everybody might be aware of why anyone would want to encrypt swap.
When using encryption of any kind - 3des, bcrypt, whatever - it's not always easy to know whether or not any sensitive plaintext data has been swapped out and written to your swap partition. Many programs "leak" sensitive information in this way. Any apps you're running may also swap out sensitive data, or portions of it.
This data can sometimes be recovered from your swap partition, sometimes surprising amounts of it. Even if it's been overwritten.
Hence, when using encryption programs, it's best to either disable swap altogether, or, if that is not an option, encrypt swap itself on the fly so that any attacker only finds gobbledegook in the swap partition.
It's easy to do this very securely on dsl with the loopaes v3.x extension, and with minimal performance penalties.
Run my script below to set this up if you can't be bothered with details.
1. Load loopaes-3.1d-2.4.26knpx_x86.dsl (or equivalent for other kernel), and run "Update_loopAES" from the fluxbox menu.
2. Suppose /dev/loop6 is free and your swap device is /dev/hda4
Do in a root shell:
# sed -i '/hda4/ d' /etc/fstab (delete the old swap line from /etc/fstab)
# echo ' /dev/hda4 none swap sw,loop=/dev/loop6,encryption=AES128 0 0' >>/etc/fstab
# dd if=/dev/zero of=/dev/hda4 bs=64k conv=notrunc
# mkswap /dev/hda4
Swap is now securely encrypted with aes128 using a random one-time key. Every time you do this, a different random key will be used.
Type losetup -a to see info about the encrypted loop setup.
(Actually if the updated loopaes v3.x loop driver and utils were included in the dsl base, I think it might be easy to add a boot option to encrypt swap this way. Running swapon -a will automatically run mkswap, and swapoff -a will pull down the loop device. So start up and shutdown scripts don't need to be changed.)